glibc/patches/glibc-2.15-vfprintf-nargs.patch

diff --git a/stdio-common/Makefile b/stdio-common/Makefile
index a847b28..080badc 100644
--- a/stdio-common/Makefile
+++ b/stdio-common/Makefile
@@ -59,7 +59,8 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \
	 tst-popen tst-unlockedio tst-fmemopen2 tst-put-error tst-fgets \
	 tst-fwrite bug16 bug17 tst-swscanf tst-sprintf2 bug18 bug18a \
	 bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \
-	 scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24
+	 scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \
+	 bug-vfprintf-nargs

 test-srcs = tst-unbputc tst-printf

diff --git a/stdio-common/bug-vfprintf-nargs.c b/stdio-common/bug-vfprintf-nargs.c
new file mode 100644
index 0000000..13c66c0
--- /dev/null
+++ b/stdio-common/bug-vfprintf-nargs.c
@@ -0,0 +1,78 @@
+/* Test for vfprintf nargs allocation overflow (BZ #13656).
+   Copyright (C) 2012 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+   Contributed by Kees Cook <keescook@chromium.org>, 2012.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, write to the Free
+   Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+   02111-1307 USA.  */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <inttypes.h>
+#include <string.h>
+#include <signal.h>
+
+static int
+format_failed (const char *fmt, const char *expected)
+{
+  char output[80];
+
+  printf ("%s : ", fmt);
+
+  memset (output, 0, sizeof output);
+  /* Having sprintf itself detect a failure is good.  */
+  if (sprintf (output, fmt, 1, 2, 3, "test") > 0
+      && strcmp (output, expected) != 0)
+    {
+      printf ("FAIL (output '%s' != expected '%s')\n", output, expected);
+      return 1;
+    }
+  puts ("ok");
+  return 0;
+}
+
+static int
+do_test (void)
+{
+  int rc = 0;
+  char buf[64];
+
+  /* Regular positionals work.  */
+  if (format_failed ("%1$d", "1") != 0)
+    rc = 1;
+
+  /* Regular width positionals work.  */
+  if (format_failed ("%1$*2$d", " 1") != 0)
+    rc = 1;
+
+  /* Positional arguments are constructed via read_int, so nargs can only
+     overflow on 32-bit systems.  On 64-bit systems, it will attempt to
+     allocate a giant amount of memory and possibly crash, which is the
+     expected situation.  Since the 64-bit behavior is arch-specific, only
+     test this on 32-bit systems.  */
+  if (sizeof (long int) == 4)
+    {
+      sprintf (buf, "%%1$d %%%" PRIdPTR "$d", UINT32_MAX / sizeof (int));
+      if (format_failed (buf, "1 %$d") != 0)
+        rc = 1;
+    }
+
+  return rc;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
index 863cd5d..c802e46 100644
--- a/stdio-common/vfprintf.c
+++ b/stdio-common/vfprintf.c
@@ -235,6 +235,9 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
      0 if unknown.  */
   int readonly_format = 0;

+  /* For the argument descriptions, which may be allocated on the heap.  */
+  void *args_malloced = NULL;
+
   /* This table maps a character into a number representing a
      class.  In each step there is a destination label for each
      class.  */
@@ -1647,9 +1650,10 @@ do_positional:
        determine the size of the array needed to store the argument
        attributes.  */
     size_t nargs = 0;
-    int *args_type;
-    union printf_arg *args_value = NULL;
+    size_t bytes_per_arg;
+    union printf_arg *args_value;
     int *args_size;
+    int *args_type;

     /* Positional parameters refer to arguments directly.  This could
        also determine the maximum number of arguments.  Track the
@@ -1698,13 +1702,38 @@ do_positional:

     /* Determine the number of arguments the format string consumes.  */
     nargs = MAX (nargs, max_ref_arg);
+    /* Calculate total size needed to represent a single argument across
+       all three argument-related arrays.  */
+    bytes_per_arg = sizeof (*args_value) + sizeof (*args_size)
+                    + sizeof (*args_type);
+
+    /* Check for potential integer overflow.  */
+    if (__builtin_expect (nargs > SIZE_MAX / bytes_per_arg, 0))
+      {
+         __set_errno (ERANGE);
+         done = -1;
+         goto all_done;
+      }

-    /* Allocate memory for the argument descriptions.  */
-    args_type = alloca (nargs * sizeof (int));
+    /* Allocate memory for all three argument arrays.  */
+    if (__libc_use_alloca (nargs * bytes_per_arg))
+        args_value = alloca (nargs * bytes_per_arg);
+    else
+      {
+        args_value = args_malloced = malloc (nargs * bytes_per_arg);
+        if (args_value == NULL)
+          {
+            done = -1;
+            goto all_done;
+          }
+      }
+
+    /* Set up the remaining two arrays to each point past the end of the
+       prior array, since space for all three has been allocated now.  */
+    args_size = &args_value[nargs].pa_int;
+    args_type = &args_size[nargs];
     memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY ? '\xff' : '\0',
-	    nargs * sizeof (int));
-    args_value = alloca (nargs * sizeof (union printf_arg));
-    args_size = alloca (nargs * sizeof (int));
+	    nargs * sizeof (*args_type));

     /* XXX Could do sanity check here: If any element in ARGS_TYPE is
        still zero after this loop, format is invalid.  For now we
@@ -1973,8 +2002,8 @@ do_positional:
   }

 all_done:
-  if (__builtin_expect (workstart != NULL, 0))
-    free (workstart);
+  free (args_malloced);
+  free (workstart);
   /* Unlock the stream.  */
   _IO_funlockfile (s);
   _IO_cleanup_region_end (0);
1	niro	1806	diff --git a/stdio-common/Makefile b/stdio-common/Makefile
2			index a847b28..080badc 100644
3			--- a/stdio-common/Makefile
4			+++ b/stdio-common/Makefile
5			@@ -59,7 +59,8 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \
6			tst-popen tst-unlockedio tst-fmemopen2 tst-put-error tst-fgets \
7			tst-fwrite bug16 bug17 tst-swscanf tst-sprintf2 bug18 bug18a \
8			bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \
9			- scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24
10			+ scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \
11			+ bug-vfprintf-nargs
12
13			test-srcs = tst-unbputc tst-printf
14
15			diff --git a/stdio-common/bug-vfprintf-nargs.c b/stdio-common/bug-vfprintf-nargs.c
16			new file mode 100644
17			index 0000000..13c66c0
18			--- /dev/null
19			+++ b/stdio-common/bug-vfprintf-nargs.c
20			@@ -0,0 +1,78 @@
21			+/* Test for vfprintf nargs allocation overflow (BZ #13656).
22			+ Copyright (C) 2012 Free Software Foundation, Inc.
23			+ This file is part of the GNU C Library.
24			+ Contributed by Kees Cook <keescook@chromium.org>, 2012.
25			+
26			+ The GNU C Library is free software; you can redistribute it and/or
27			+ modify it under the terms of the GNU Lesser General Public
28			+ License as published by the Free Software Foundation; either
29			+ version 2.1 of the License, or (at your option) any later version.
30			+
31			+ The GNU C Library is distributed in the hope that it will be useful,
32			+ but WITHOUT ANY WARRANTY; without even the implied warranty of
33			+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
34			+ Lesser General Public License for more details.
35			+
36			+ You should have received a copy of the GNU Lesser General Public
37			+ License along with the GNU C Library; if not, write to the Free
38			+ Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
39			+ 02111-1307 USA. */
40			+
41			+#include <stdio.h>
42			+#include <stdlib.h>
43			+#include <stdint.h>
44			+#include <unistd.h>
45			+#include <inttypes.h>
46			+#include <string.h>
47			+#include <signal.h>
48			+
49			+static int
50			+format_failed (const char fmt, const char expected)
51			+{
52			+ char output[80];
53			+
54			+ printf ("%s : ", fmt);
55			+
56			+ memset (output, 0, sizeof output);
57			+ /* Having sprintf itself detect a failure is good. */
58			+ if (sprintf (output, fmt, 1, 2, 3, "test") > 0
59			+ && strcmp (output, expected) != 0)
60			+ {
61			+ printf ("FAIL (output '%s' != expected '%s')\n", output, expected);
62			+ return 1;
63			+ }
64			+ puts ("ok");
65			+ return 0;
66			+}
67			+
68			+static int
69			+do_test (void)
70			+{
71			+ int rc = 0;
72			+ char buf[64];
73			+
74			+ /* Regular positionals work. */
75			+ if (format_failed ("%1$d", "1") != 0)
76			+ rc = 1;
77			+
78			+ /* Regular width positionals work. */
79			+ if (format_failed ("%1$*2$d", " 1") != 0)
80			+ rc = 1;
81			+
82			+ /* Positional arguments are constructed via read_int, so nargs can only
83			+ overflow on 32-bit systems. On 64-bit systems, it will attempt to
84			+ allocate a giant amount of memory and possibly crash, which is the
85			+ expected situation. Since the 64-bit behavior is arch-specific, only
86			+ test this on 32-bit systems. */
87			+ if (sizeof (long int) == 4)
88			+ {
89			+ sprintf (buf, "%%1$d %%%" PRIdPTR "$d", UINT32_MAX / sizeof (int));
90			+ if (format_failed (buf, "1 %$d") != 0)
91			+ rc = 1;
92			+ }
93			+
94			+ return rc;
95			+}
96			+
97			+#define TEST_FUNCTION do_test ()
98			+#include "../test-skeleton.c"
99			diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
100			index 863cd5d..c802e46 100644
101			--- a/stdio-common/vfprintf.c
102			+++ b/stdio-common/vfprintf.c
103			@@ -235,6 +235,9 @@ vfprintf (FILE s, const CHAR_T format, va_list ap)
104			0 if unknown. */
105			int readonly_format = 0;
106
107			+ /* For the argument descriptions, which may be allocated on the heap. */
108			+ void *args_malloced = NULL;
109			+
110			/* This table maps a character into a number representing a
111			class. In each step there is a destination label for each
112			class. */
113			@@ -1647,9 +1650,10 @@ do_positional:
114			determine the size of the array needed to store the argument
115			attributes. */
116			size_t nargs = 0;
117			- int *args_type;
118			- union printf_arg *args_value = NULL;
119			+ size_t bytes_per_arg;
120			+ union printf_arg *args_value;
121			int *args_size;
122			+ int *args_type;
123
124			/* Positional parameters refer to arguments directly. This could
125			also determine the maximum number of arguments. Track the
126			@@ -1698,13 +1702,38 @@ do_positional:
127
128			/* Determine the number of arguments the format string consumes. */
129			nargs = MAX (nargs, max_ref_arg);
130			+ /* Calculate total size needed to represent a single argument across
131			+ all three argument-related arrays. */
132			+ bytes_per_arg = sizeof (args_value) + sizeof (args_size)
133			+ + sizeof (*args_type);
134			+
135			+ /* Check for potential integer overflow. */
136			+ if (__builtin_expect (nargs > SIZE_MAX / bytes_per_arg, 0))
137			+ {
138			+ __set_errno (ERANGE);
139			+ done = -1;
140			+ goto all_done;
141			+ }
142
143			- /* Allocate memory for the argument descriptions. */
144			- args_type = alloca (nargs * sizeof (int));
145			+ /* Allocate memory for all three argument arrays. */
146			+ if (__libc_use_alloca (nargs * bytes_per_arg))
147			+ args_value = alloca (nargs * bytes_per_arg);
148			+ else
149			+ {
150			+ args_value = args_malloced = malloc (nargs * bytes_per_arg);
151			+ if (args_value == NULL)
152			+ {
153			+ done = -1;
154			+ goto all_done;
155			+ }
156			+ }
157			+
158			+ /* Set up the remaining two arrays to each point past the end of the
159			+ prior array, since space for all three has been allocated now. */
160			+ args_size = &args_value[nargs].pa_int;
161			+ args_type = &args_size[nargs];
162			memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY ? '\xff' : '\0',
163			- nargs * sizeof (int));
164			- args_value = alloca (nargs * sizeof (union printf_arg));
165			- args_size = alloca (nargs * sizeof (int));
166			+ nargs * sizeof (*args_type));
167
168			/* XXX Could do sanity check here: If any element in ARGS_TYPE is
169			still zero after this loop, format is invalid. For now we
170			@@ -1973,8 +2002,8 @@ do_positional:
171			}
172
173			all_done:
174			- if (__builtin_expect (workstart != NULL, 0))
175			- free (workstart);
176			+ free (args_malloced);
177			+ free (workstart);
178			/* Unlock the stream. */
179			_IO_funlockfile (s);
180			_IO_cleanup_region_end (0);